grsec/3.0/grsec-2.2.2-3.0.3-201108232250-1.patch

   1 --- kernel-grsec_full.patch.org 2011-08-24 09:32:29.113836788 +0200
   2 +++ kernel-grsec_full.patch     2011-08-24 10:43:17.023101342 +0200
   3 @@ -11175,9 +11175,9 @@
   4  @@ -186,7 +186,7 @@ void dump_stack(void)
   5
   6         bp = stack_frame(current, NULL);
   7 -       printk("Pid: %d, comm: %.20s %s %s %.*s\n",
   8 --              current->pid, current->comm, print_tainted(),
   9 -+              task_pid_nr(current), current->comm, print_tainted(),
  10 +       printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
  11 +-              current->pid, current->comm, current->xid, print_tainted(),
  12 ++              task_pid_nr(current), current->comm, current->xid, print_tainted(),
  13                 init_utsname()->release,
  14                 (int)strcspn(init_utsname()->version, " "),
  15                 init_utsname()->version);
  16 @@ -14211,9 +14211,9 @@
  17  @@ -106,7 +123,7 @@ void show_regs_common(void)
  18
  19         printk(KERN_CONT "\n");
  20 -       printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s",
  21 --              current->pid, current->comm, print_tainted(),
  22 -+              task_pid_nr(current), current->comm, print_tainted(),
  23 +       printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
  24 +-              current->pid, current->xid, current->comm, print_tainted(),
  25 ++              task_pid_nr(current), current->xid, current->comm, print_tainted(),
  26                 init_utsname()->release,
  27                 (int)strcspn(init_utsname()->version, " "),
  28                 init_utsname()->version);
  29 @@ -37570,9 +37570,9 @@
  30   #include <linux/slab.h>
  31   #include <linux/fs_struct.h>
  32  +#include <linux/grsecurity.h>
  33 + #include <linux/vserver/global.h>
  34   #include "internal.h"
  35
  36 - static inline void path_get_longterm(struct path *path)
  37  @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
  38         old_root = fs->root;
  39         fs->root = *path;
  40 @@ -39661,9 +39661,9 @@
  41   #endif
  42   #ifdef CONFIG_SCHEDSTATS
  43  @@ -2857,6 +2972,9 @@ static const struct pid_entry tgid_base_
  44 - #ifdef CONFIG_HARDWALL
  45         INF("hardwall",   S_IRUGO, proc_pid_hardwall),
  46   #endif
  47 +       ONE("nsproxy",  S_IRUGO, proc_pid_nsproxy),
  48  +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
  49  +      INF("ipaddr",     S_IRUSR, proc_pid_ipaddr),
  50  +#endif
  51 @@ -39733,11 +39733,11 @@
  52  +      rcu_read_unlock();
  53  +#endif
  54                 filp->f_pos = iter.tgid + TGID_OFFSET;
  55 +               if (!vx_proc_task_visible(iter.task))
  56 +                       continue;
  57  -              if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
  58  +              if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
  59                         put_task_struct(iter.task);
  60 -                       goto out;
  61 -               }
  62  @@ -3141,7 +3294,7 @@ static const struct pid_entry tid_base_s
  63         REG("sched",     S_IRUGO|S_IWUSR, proc_pid_sched_operations),
  64   #endif
  65 @@ -39815,9 +39815,9 @@
  66  +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
  67  +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
  68  +#endif
  69 - extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
  70 + extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
  71 +                               struct pid *pid, struct task_struct *task);
  72
  73 - extern const struct file_operations proc_maps_operations;
  74  diff -urNp linux-3.0.3/fs/proc/Kconfig linux-3.0.3/fs/proc/Kconfig
  75  --- linux-3.0.3/fs/proc/Kconfig        2011-07-21 22:17:23.000000000 -0400
  76  +++ linux-3.0.3/fs/proc/Kconfig        2011-08-23 21:48:14.000000000 -0400
  77 @@ -53625,10 +53625,10 @@
  78   static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
  79         mode_t mode, struct proc_dir_entry *base,
  80         read_proc_t *read_proc, void * data)
  81 -@@ -258,7 +271,7 @@ union proc_op {
  82 -       int (*proc_show)(struct seq_file *m,
  83 -               struct pid_namespace *ns, struct pid *pid,
  84 -               struct task_struct *task);
  85 +@@ -278,7 +278,7 @@ union proc_op {
  86 +       int (*proc_vs_read)(char *page);
  87 +       int (*proc_vxi_read)(struct vx_info *vxi, char *page);
  88 +       int (*proc_nxi_read)(struct nx_info *nxi, char *page);
  89  -};
  90  +} __no_const;
  91
  92 @@ -55990,15 +55990,15 @@
  93         new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
  94         if (!new)
  95                 return NULL;
  96 -@@ -287,6 +295,8 @@ struct cred *prepare_creds(void)
  97 -       const struct cred *old;
  98 +@@ -268,6 +268,8 @@ struct cred *__prepare_creds(const struc
  99 + {
 100         struct cred *new;
 101
 102  +      pax_track_stack();
 103  +
 104 -       validate_process_creds();
 105 -
 106         new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
 107 +       if (!new)
 108 +               return NULL;
 109  @@ -333,6 +343,8 @@ struct cred *prepare_exec_creds(void)
 110         struct thread_group_cred *tgcred = NULL;
 111         struct cred *new;
 112 @@ -56607,13 +56607,15 @@
 113         return 0;
 114   }
 115
 116 -@@ -1104,10 +1142,13 @@ static struct task_struct *copy_process(
 117 -       DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
 118 - #endif
 119 -       retval = -EAGAIN;
 120 -+
 121 +@@ -1156,13 +1156,15 @@ static struct task_struct *copy_process(
 122 +       init_vx_info(&p->vx_info, current_vx_info());
 123 +       init_nx_info(&p->nx_info, current_nx_info());
 124 +
 125  +      gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
 126  +
 127 +       retval = -EAGAIN;
 128 +       if (!vx_nproc_avail(1))
 129 +               goto bad_fork_free;
 130         if (atomic_read(&p->real_cred->user->processes) >=
 131                         task_rlimit(p, RLIMIT_NPROC)) {
 132  -              if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
 133 @@ -58032,8 +58034,8 @@
 134  +      struct task_struct *task;
 135  +
 136         rcu_lockdep_assert(rcu_read_lock_held());
 137 --      return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
 138 -+      task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
 139 +-      return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
 140 ++      task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
 141  +
 142  +      if (gr_pid_is_chrooted(task))
 143  +              return NULL;
 144 @@ -58249,7 +58251,7 @@
 145  diff -urNp linux-3.0.3/kernel/printk.c linux-3.0.3/kernel/printk.c
 146  --- linux-3.0.3/kernel/printk.c        2011-07-21 22:17:23.000000000 -0400
 147  +++ linux-3.0.3/kernel/printk.c        2011-08-23 21:48:14.000000000 -0400
 148 -@@ -313,12 +313,17 @@ static int check_syslog_permissions(int
 149 +@@ -314,12 +314,17 @@ static int check_syslog_permissions(int
 150         if (from_file && type != SYSLOG_ACTION_OPEN)
 151                 return 0;
 152
 153 @@ -58259,7 +58261,7 @@
 154  +#endif
 155  +
 156         if (syslog_action_restricted(type)) {
 157 -               if (capable(CAP_SYSLOG))
 158 +               if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
 159                         return 0;
 160                 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
 161                 if (capable(CAP_SYS_ADMIN)) {
 162 @@ -58918,7 +58920,7 @@
 163  -      if (increment < 0 && !can_nice(current, nice))
 164  +      if (increment < 0 && (!can_nice(current, nice) ||
 165  +                            gr_handle_chroot_nice()))
 166 -               return -EPERM;
 167 +               return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
 168
 169         retval = security_task_setnice(current, nice);
 170  @@ -5111,6 +5116,7 @@ recheck:
 171 @@ -58987,10 +58989,11 @@
 172         if (is_global_init(tsk))
 173                 return 1;
 174         if (handler != SIG_IGN && handler != SIG_DFL)
 175 -@@ -770,6 +773,13 @@ static int check_kill_permission(int sig
 176 -               }
 177 +@@ -797,6 +797,14 @@
 178 +                       sig, info, t, vx_task_xid(t), t->pid, current->xid);
 179 +               return error;
 180         }
 181 -
 182 ++
 183  +      /* allow glibc communication via tgkill to other threads in our
 184  +         thread group */
 185  +      if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
 186 @@ -58998,9 +59001,9 @@
 187  +          && gr_handle_signal(t, sig))
 188  +              return -EPERM;
 189  +
 190 + /* skip: */
 191         return security_task_kill(t, info, sig, 0);
 192   }
 193 -
 194  @@ -1092,7 +1102,7 @@ __group_send_sig_info(int sig, struct si
 195         return send_signal(sig, info, p, 1);
 196   }
 197 @@ -65122,6 +65125,7 @@
 198
 199   #include <net/inet_connection_sock.h>
 200   #include <net/inet_hashtables.h>
 201 + #include <net/route.h>
 202   #include <net/secure_seq.h>
 203   #include <net/ip.h>
 204
 205 @@ -65129,7 +65133,6 @@
 206  +
 207   /*
 208    * Allocate and initialize a new local port bind bucket.
 209 -  * The bindhash mutex for snum's hash chain must be held here.
 210  @@ -530,6 +533,8 @@ ok:
 211                         twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
 212                 spin_unlock(&head->lock);
 213 @@ -65875,9 +65878,9 @@
 214  +extern int grsec_enable_blackhole;
 215  +#endif
 216  +
 217 - int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
 218 + int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
 219   {
 220 -       const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
 221 +       const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
 222  @@ -548,7 +552,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
 223
 224         return 0;